Bug 516

Summary:

RhostsAuthentication failing with privsep

Product:

Portable OpenSSH

Reporter:

Alf Nicolaysen <Alf.Nicolaysen>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

Priority:

Version:

-current

Hardware:

All

OS:

All

Attachments:

Description	Flags
sshd & ssh debug traces for rhosts authentication	none

Description Alf Nicolaysen 2003-03-21 23:13:24 AEDT

It seems to me, that under AIX 4.3.3 ML 10 the Rhostsauthentication fails 
completely. The files .rhosts, .shosts or even .rhosts.equiv and .shosts.equiv 
are completely ignored. 

With my client I ran the following command:

/opt/bin/ssh <hostname> -o RhostsAuthentication=yes -o Protocol=1 -o 
UsePrivilegedPort=yes

And here is the debug output from my server

# /opt/sbin/sshd -f /opt/etc/sshd_config -d -d
debug1: sshd version OpenSSH_3.5p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 9.164.18.22 port 943
debug1: Client protocol version 1.5; client software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Local version string SSH-1.99-OpenSSH_3.5p1
debug1: permanently_set_uid: 7/204
debug1: Sent 768 bit server key and 1024 bit host key.
debug2: Network child is on pid 16256
debug1: Encryption type: 3des
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Received session key; encryption turned on.
debug2: monitor_read: 28 used once, disabling now
debug2: monitor_read: 30 used once, disabling nowdebug1: Installing crc 
compensation attack detector.

debug1: Attempting authentication for root.
debug2: monitor_read: 6 used once, disabling now
Failed none for root from 9.164.18.22 port 943
debug2: auth_rhosts2: clientuser root hostname 9.164.18.22 ipaddr 9.164.18.22
debug1: temporarily_use_uid: 0/0 (e=7/204)
debug1: restore_uid: (unprivileged)
Failed rhosts for root from 9.164.18.22 port 943 ruser root
Connection closed by 9.164.18.22
debug1: Calling cleanup 0x200013b0(0x0)


The files .rhosts, .shosts and .shosts.equiv are existing with 600 rights on 
AIX. I compiled the version on myself.

regards 


Alf Nicolaysen

Comment 1 Markus Friedl 2003-03-22 00:37:12 AEDT

     IgnoreRhosts
             ... The default is ``yes''.

     /etc/hosts.equiv
             ... such users are permitted to log
             in as any user on this machine (except root).

Comment 2 Alf Nicolaysen 2003-03-24 16:54:36 AEDT

Yes, I set the option "IgnoreRhosts no" in the sshd_config.
I also set the option "strictModes no" to prevent a failing here. Nothing helps.

Alf

Comment 3 Darren Tucker 2003-03-24 20:41:00 AEDT

Seems to be a privsep thing.  Try running sshd with "-o 
UsePrivilegeSeparation=no".
 
I can get rhosts authentication to work if I disable privsep.  It works as a 
non-root user with shosts.equiv and with /.shosts as root.  With privsep 
enabled, it fails.  I will attach a debug log.

I also needed to make ssh setuid root so it could bind to a privileged port.

Also, the man page fragment that Markus quoted does not seem clear on root 
logins with hosts.equiv, however.  With a bit more context, it says:

"/etc/hosts.equiv
   This file is used during .rhosts authentication.  In the simplest
   form, this file contains host names, one per line.  Users on
   those hosts are permitted to log in without a password, provided
   they have the same user name on both machines.  The host name may
   also be followed by a user name; such users are permitted to log
   in as any user on this machine (except root)."

To me, the last sentence seems to say the exception for root applies only when 
the the optional username follows the hostname.

Comment 4 Darren Tucker 2003-03-24 20:58:15 AEDT

Created attachment 256 [details]
sshd & ssh debug traces for rhosts authentication

Comment 5 Darren Tucker 2003-03-24 22:43:42 AEDT

Reproduced on Redhat 8 too, this does not seem to be specific to AIX.

Comment 6 Markus Friedl 2003-03-24 23:13:16 AEDT

ok, there is no privsep code for rhosts authentication.

should it be added? rhosts is insecure and there are
alternatives like rhosts-rsa or hostbased.

should rhosts be dropped?

Comment 7 Alf Nicolaysen 2003-03-26 19:11:35 AEDT

Yes, indeed. With this option it worked. As I do not know, if it ever will be 
fixed or not, I switch to RSARhostsAuthentication and leave the 
RhostsAuthentication in this state. Thanx for your help

Alf Nicolaysen

Comment 8 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED